changeset 0: |
b3274687478e |
child 1: |
08c364669209 |
author: |
ellis <ellis@rwest.io> |
date: |
Tue, 07 Nov 2023 21:56:24 -0500 |
files: |
.hgignore common.mk makefile os/linux/makefile readme.org scripts/get-linux.sh |
description: |
init |
1.1--- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2+++ b/.hgignore Tue Nov 07 21:56:24 2023 -0500
1.3@@ -0,0 +1,3 @@
1.4+.*[.](fasl|lock|elc|eln|scratch|tar)$
1.5+.*(target|dist|node_modules|target-trunk|build)/.*
1.6+linux/linux-[0-9]+[.].*/.*
1.7\ No newline at end of file
2.1--- /dev/null Thu Jan 01 00:00:00 1970 +0000
2.2+++ b/common.mk Tue Nov 07 21:56:24 2023 -0500
2.3@@ -0,0 +1,18 @@
2.4+### common.mk --- common infra rules
2.5+
2.6+### Code:
2.7+__ := $(.VARIABLES)
2.8+COMMON_MK=$(lastword $(MAKEFILE_LIST))
2.9+INFRA_DIR=$(realpath $(dir $(COMMON_MK)))
2.10+INFRA_LISP_FILES=$(shell find $(INFRA_DIR) -type f \( -name '*.asd' -o -name '*.lisp' \) )
2.11+INFRA_BUILD_DIR=$(INFRA_DIR)/build
2.12+INFRA_DIST_DIR=$(INFRA_DIR)/dist
2.13+INFRA_SCRIPT_DIR=$(INFRA_DIR)/scripts
2.14+LINUX_VERSION:=$(shell uname -r | cut -d- -f1)
2.15+SHELL=/bin/sh
2.16+UNAME=$(shell uname)
2.17+CURL:=curl
2.18+CPU_COUNT:=$(shell getconf _NPROCESSORS_ONLN)
2.19+HG_COMMIT:=$(shell hg id -i)
2.20+VERSION:=
2.21+VARS:=$(foreach v,$(filter-out $(__) __,$(.VARIABLES)),"\n$(v) = $($(v))")
3.1--- /dev/null Thu Jan 01 00:00:00 1970 +0000
3.2+++ b/makefile Tue Nov 07 21:56:24 2023 -0500
3.3@@ -0,0 +1,3 @@
3.4+### infra/makefile --- The Compiler Company Infrastructure
3.5+include common.mk
3.6+include os/linux/makefile
4.1--- /dev/null Thu Jan 01 00:00:00 1970 +0000
4.2+++ b/os/linux/makefile Tue Nov 07 21:56:24 2023 -0500
4.3@@ -0,0 +1,13 @@
4.4+### infra/os/linux/makefile --- Linux builder
4.5+
4.6+### Code:
4.7+LINUX_TARGET:=linux-$(LINUX_VERSION)
4.8+all:$(LINUX_TARGET) config
4.9+$(LINUX_TARGET):scripts/get-linux.sh;
4.10+ mkdir -pv build/$@
4.11+ gpg --export autosigner@ torvalds@ gregkh@ > build/$@/keyring.gpg
4.12+ $< $(LINUX_VERSION) build $(abspath build/$@/keyring.gpg)
4.13+ unxz build/$@.tar.xz && tar -xvf build/$@.tar
4.14+config:build/$(LINUX_TARGET);
4.15+ cd $< && make mrproper -j && zcat /proc/config.gz > .config && make localmodconfig
4.16+clean::;rm -rf build/$(LINUX_TARGET) build/$(LINUX_TARGET).* build/linux-tarball-verify.*
5.1--- /dev/null Thu Jan 01 00:00:00 1970 +0000
5.2+++ b/readme.org Tue Nov 07 21:56:24 2023 -0500
5.3@@ -0,0 +1,2 @@
5.4+#+TITLE: comp/infra
5.5+#+AUTHOR: Richard Westhaver <ellis@rwest.io>
6.1--- /dev/null Thu Jan 01 00:00:00 1970 +0000
6.2+++ b/scripts/get-linux.sh Tue Nov 07 21:56:24 2023 -0500
6.3@@ -0,0 +1,218 @@
6.4+#!/bin/bash
6.5+# https://git.kernel.org/pub/scm/linux/kernel/git/mricon/korg-helpers.git/tree/get-verified-tarball
6.6+# get-verified-tarball
6.7+# --------------------
6.8+# Get Linux kernel tarball and cryptographically verify it,
6.9+# retrieving the PGP keys using the Web Key Directory (WKD)
6.10+# protocol if they are not already in the keyring.
6.11+#
6.12+# Pass the kernel version as the only parameter, or
6.13+# we'll grab the latest stable kernel.
6.14+#
6.15+# Example: ./get-verified-tarball 4.4.145
6.16+#
6.17+# Configurable parameters
6.18+# -----------------------
6.19+# What kernel version do you want?
6.20+HOST_VER=$(uname -r | cut -d- -f1)
6.21+VER="${1:-$HOST_VER}"
6.22+
6.23+# Where to download the tarball and verification data.
6.24+TARGETDIR=${2:-build/linux-$VER}
6.25+
6.26+# For CI and other automated infrastructure, you may want to
6.27+# create a keyring containing the keys belonging to:
6.28+# - autosigner@kernel.org
6.29+# - torvalds@kernel.org
6.30+# - gregkh@kernel.org
6.31+#
6.32+# To generate the keyring with these keys, do:
6.33+# gpg --export autosigner@ torvalds@ gregkh@ > keyring.gpg
6.34+# (or use full keyids for maximum certainty)
6.35+#
6.36+# Once you have keyring.gpg, install it on your CI system and set
6.37+# USEKEYRING to the full path to it. If unset, we generate our own
6.38+# from GNUPGHOME.
6.39+# need to run make linux-keys first
6.40+USEKEYRING=${3}
6.41+
6.42+# If you set this to empty value, we'll make a temporary
6.43+# directory and fetch the verification keys from the
6.44+# Web Key Directory each time. Also, see the USEKEYRING=
6.45+# configuration option for an alternative that doesn't
6.46+# rely on WKD.
6.47+GNUPGHOME="$HOME/.gnupg"
6.48+
6.49+# Point this at your GnuPG binary version 2.1.11 or above.
6.50+# If you are using USEKEYRING, GnuPG-1 will work, too.
6.51+GPGBIN="/usr/bin/gpg2"
6.52+GPGVBIN="/usr/bin/gpgv2"
6.53+# We need a compatible version of sha256sum, too
6.54+SHA256SUMBIN="/usr/bin/sha256sum"
6.55+# And curl
6.56+CURLBIN="/usr/bin/curl"
6.57+# And we need the xz binary
6.58+XZBIN="/usr/bin/xz"
6.59+
6.60+# You shouldn't need to modify this, unless someone
6.61+# other than Linus or Greg start releasing kernels.
6.62+DEVKEYS="torvalds@kernel.org gregkh@kernel.org"
6.63+# Don't add this to DEVKEYS, as it plays a wholly
6.64+# different role and is NOT a key that should be used
6.65+# to verify kernel tarball signatures (just the checksums).
6.66+SHAKEYS="autosigner@kernel.org"
6.67+
6.68+if [[ -z ${VER} ]]; then
6.69+ # Assume you want the latest stable
6.70+ VER=$(${CURLBIN} -sL https://www.kernel.org/finger_banner \
6.71+ | grep 'latest stable version' \
6.72+ | awk -F: '{gsub(/ /,"", $0); print $2}')
6.73+fi
6.74+if [[ -z ${VER} ]]; then
6.75+ echo "Could not figure out the latest stable version."
6.76+ exit 1
6.77+fi
6.78+
6.79+MAJOR="$(echo ${VER} | cut -d. -f1)"
6.80+if [[ ${MAJOR} -lt 3 ]]; then
6.81+ echo "This script only supports kernel v3.x.x and above"
6.82+ exit 1
6.83+fi
6.84+
6.85+if [[ ! -d ${TARGETDIR} ]]; then
6.86+ echo "${TARGETDIR} does not exist"
6.87+ exit 1
6.88+fi
6.89+
6.90+TARGET="${TARGETDIR}/linux-${VER}.tar.xz"
6.91+# Do we already have this file?
6.92+if [[ -f ${TARGET} ]]; then
6.93+ echo "File ${TARGETDIR}/linux-${VER}.tar.xz already exists."
6.94+ exit 0
6.95+fi
6.96+
6.97+# Start by making sure our GnuPG environment is sane
6.98+if [[ ! -x ${GPGBIN} ]]; then
6.99+ echo "Could not find gpg in ${GPGBIN}"
6.100+ exit 1
6.101+fi
6.102+if [[ ! -x ${GPGVBIN} ]]; then
6.103+ echo "Could not find gpgv in ${GPGVBIN}"
6.104+ exit 1
6.105+fi
6.106+
6.107+# Let's make a safe temporary directory for intermediates
6.108+TMPDIR=$(mktemp -d ${TARGETDIR}/linux-tarball-verify.XXXXXXXXX.untrusted)
6.109+echo "Using TMPDIR=${TMPDIR}"
6.110+# Are we using a keyring?
6.111+if [[ -z ${USEKEYRING} ]]; then
6.112+ if [[ -z ${GNUPGHOME} ]]; then
6.113+ GNUPGHOME="${TMPDIR}/gnupg"
6.114+ elif [[ ! -d ${GNUPGHOME} ]]; then
6.115+ echo "GNUPGHOME directory ${GNUPGHOME} does not exist"
6.116+ echo -n "Create it? [Y/n]"
6.117+ read YN
6.118+ if [[ ${YN} == 'n' ]]; then
6.119+ echo "Exiting"
6.120+ rm -rf ${TMPDIR}
6.121+ exit 1
6.122+ fi
6.123+ fi
6.124+ mkdir -p -m 0700 ${GNUPGHOME}
6.125+ echo "Making sure we have all the necessary keys"
6.126+ ${GPGBIN} --batch --quiet \
6.127+ --homedir ${GNUPGHOME} \
6.128+ --auto-key-locate wkd \
6.129+ --locate-keys ${DEVKEYS} ${SHAKEYS}
6.130+ # If this returned non-0, we bail
6.131+ if [[ $? != "0" ]]; then
6.132+ echo "Something went wrong fetching keys"
6.133+ rm -rf ${TMPDIR}
6.134+ exit 1
6.135+ fi
6.136+ # Make a temporary keyring and set USEKEYRING to it
6.137+ USEKEYRING=${TMPDIR}/keyring.gpg
6.138+ ${GPGBIN} --batch --export ${DEVKEYS} ${SHAKEYS} > ${USEKEYRING}
6.139+fi
6.140+# Now we make two keyrings -- one for the autosigner, and
6.141+# the other for kernel developers. We do this in order to
6.142+# make sure that we never verify kernel tarballs using the
6.143+# autosigner keys, only using developer keys.
6.144+SHAKEYRING=${TMPDIR}/shakeyring.gpg
6.145+${GPGBIN} --batch \
6.146+ --no-default-keyring --keyring ${USEKEYRING} \
6.147+ --export ${SHAKEYS} > ${SHAKEYRING}
6.148+DEVKEYRING=${TMPDIR}/devkeyring.gpg
6.149+${GPGBIN} --batch \
6.150+ --no-default-keyring --keyring ${USEKEYRING} \
6.151+ --export ${DEVKEYS} > ${DEVKEYRING}
6.152+
6.153+# Now that we know we can verify them, grab the contents
6.154+TXZ="https://cdn.kernel.org/pub/linux/kernel/v${MAJOR}.x/linux-${VER}.tar.xz"
6.155+SIG="https://cdn.kernel.org/pub/linux/kernel/v${MAJOR}.x/linux-${VER}.tar.sign"
6.156+SHA="https://www.kernel.org/pub/linux/kernel/v${MAJOR}.x/sha256sums.asc"
6.157+
6.158+# Before we verify the developer signature, we make sure that the
6.159+# tarball matches what is on the kernel.org master. This avoids
6.160+# CDN cache poisoning that could, in theory, use vulnerabilities in
6.161+# the XZ binary to alter the verification process or compromise the
6.162+# system performing the verification.
6.163+SHAFILE=${TMPDIR}/sha256sums.asc
6.164+echo "Downloading the checksums file for linux-${VER}"
6.165+if ! ${CURLBIN} -sL -o ${SHAFILE} ${SHA}; then
6.166+ echo "Failed to download the checksums file"
6.167+ rm -rf ${TMPDIR}
6.168+ exit 1
6.169+fi
6.170+echo "Verifying the checksums file"
6.171+COUNT=$(${GPGVBIN} --keyring=${SHAKEYRING} --status-fd=1 ${SHAFILE} \
6.172+ | grep -c -E '^\[GNUPG:\] (GOODSIG|VALIDSIG)')
6.173+if [[ ${COUNT} -lt 2 ]]; then
6.174+ echo "FAILED to verify the sha256sums.asc file."
6.175+ rm -rf ${TMPDIR}
6.176+ exit 1
6.177+fi
6.178+# Grab only the tarball we want from the full list
6.179+SHACHECK=${TMPDIR}/sha256sums.txt
6.180+grep "linux-${VER}.tar.xz" ${SHAFILE} > ${SHACHECK}
6.181+
6.182+echo
6.183+echo "Downloading the signature file for linux-${VER}"
6.184+SIGFILE=${TMPDIR}/linux-${VER}.tar.asc
6.185+if ! ${CURLBIN} -sL -o ${SIGFILE} ${SIG}; then
6.186+ echo "Failed to download the signature file"
6.187+ rm -rf ${TMPDIR}
6.188+ exit 1
6.189+fi
6.190+echo "Downloading the XZ tarball for linux-${VER}"
6.191+TXZFILE=${TMPDIR}/linux-${VER}.tar.xz
6.192+if ! ${CURLBIN} -L -o ${TXZFILE} ${TXZ}; then
6.193+ echo "Failed to download the tarball"
6.194+ rm -rf ${TMPDIR}
6.195+ exit 1
6.196+fi
6.197+
6.198+pushd ${TMPDIR} >/dev/null
6.199+echo "Verifying checksum on linux-${VER}.tar.xz"
6.200+if ! ${SHA256SUMBIN} -c ${SHACHECK}; then
6.201+ echo "FAILED to verify the downloaded tarball checksum"
6.202+ popd >/dev/null
6.203+ rm -rf ${TMPDIR}
6.204+ exit 1
6.205+fi
6.206+popd >/dev/null
6.207+
6.208+echo
6.209+echo "Verifying developer signature on the tarball"
6.210+COUNT=$(${XZBIN} -cd ${TXZFILE} \
6.211+ | ${GPGVBIN} --keyring=${DEVKEYRING} --status-fd=1 ${SIGFILE} - \
6.212+ | grep -c -E '^\[GNUPG:\] (GOODSIG|VALIDSIG)')
6.213+if [[ ${COUNT} -lt 2 ]]; then
6.214+ echo "FAILED to verify the tarball!"
6.215+ rm -rf ${TMPDIR}
6.216+ exit 1
6.217+fi
6.218+mv -f ${TXZFILE} ${TARGET}
6.219+rm -rf ${TMPDIR}
6.220+echo
6.221+echo "Successfully downloaded and verified ${TARGET}"